FBI Raids ‘Electronik Tribulation Army’ Over Witness Intimidation

FBI agents have raided the homes of three alleged members of a hacker gang that harassed a security expert who helped put the group’s leader in jail, according to a recently unsealed search warrant affidavit.

Jesse William McGraw, aka “GhostExodus,” pleaded guilty in May to computer-tampering charges for putting malware on a dozen machines at the Texas hospital where he worked as a security guard. He also installed the remote-access program LogMeIn on the hospital’s Windows-controlled HVAC system.

Last month’s raids were prompted by the aftermath of McGraw’s arrest. McGraw was the leader of an anarchistic hacking group called the Electronik Tribulation Army, and his bust led to a flood of harassment against the Mississippi computer-security researcher who discovered screenshots of the HVAC access online and informed the FBI.

“They set up website in my name to pose as me, and put up embarrassing content or things they thought would embarrass me, including a call-to-action to buy sex toys, and fake pornographic images,” says R. Wesley McGrew, 30, of McGrew Security. “They harvested e-mail addresses from the university I work at and e-mailed it out to those.”

McGrew (who has no relation to McGraw), also suffered DDoS attacks to his website, and threatening e-mails, phone calls and IMs, according to the FBI. The harassment was “affecting a potential witness in an official proceeding,” the affidavit reads, and thus may violate federal law against witness intimidation.

On June 23, the FBI raided the homes of ETA members “Fixer,” “dev//null” and “Xon” in Manteca, California; Hamilton, Ohio; and Pittsburg, Kansas, respectively, as well as the home of McGraw’s sister in Grand Prairie, Texas. The search warrant affidavit was unsealed Friday. McGrew says the harassment stopped after the raids.

A notice on the ETA’s website strikes a defiant note. “On the 23rd of June 2010 the Federal Bureau of Investigation issued search warrants on ETA members,” the site reads. “All their computers and electronic devices have been taken for forensic investigation…. We are not terrorists, we are freedom fighters and cyber protesting is not illegal. ”

From the search-warrant affidavit (.pdf), McGraw’s connection to the harassment appears thin. But the FBI also claims McGraw tipped off another ETA member that the FBI was on his trail, potentially violating obstruction-of-justice law.

On April 17, while McGraw was in jail for the HVAC access, the government gave his attorney a copy of his colleague Fixer’s Gmail and YouTube accounts in pre-trial discovery, revealing that they had Fixer under surveillance. Three days later, McGraw phoned his sister, and in a monitored phone call told her to instruct ETA-member dev//null to post a warning note to the group’s website.

“I need you to tell him that [it’s] ‘defcon black’ for Fixer,” he said. “[S]ay that Fixer is now ‘defcon black.’… You need to put it where they can see it … where everyone can see it. This is very important. There is nothing more important than this in life right now.”

He made similar emphatic calls to his wife and a friend, and then his sister again, remarking, “I was told by my attorney that they want to prosecute [Fixer] and arrest him.” He finally got word from his sister on April 23 that the message had been received, according to the affidavit. “I just talked to your Fixer guy,” his sister said. “He told me to tell you that everything’s been good, don’t worry about it.”

“I haven’t seen or heard anything that in my opnion amounts to obstruction of justice for my client,” said John Nicholson, a federal public defender representing McGraw, in a telephone interview Friday. “But that’s not for me to decide, and it’s not for the prosecutor to decide. That’s for the judge to decide.”

McGrew, the security researcher, has “gone out of his way to engage these ETA people,” Nicholson added. “He talks about the case on his blog all the time. It’s my understanding that he taught aspects of this case in his class. He communicates voluntarily with members of the ETA.”

As GhostExodus, McGraw was a colorful figure who once shot a YouTube video of himself staging an “infiltration” mission at an office building, in which he’s seen skulking through the halls and installing RxBot on a desktop computer. According to court records, ETA was building a modest botnet to attack a rival hacker gang. In another video he displays his personal collection of infiltration gear, including lock picks, a cellphone jammer and fake FBI credentials. Both videos turned out to be shot at the Northern Central Medical Plaza in Dallas, where he worked as a night security guard and had free run of the building.

While the videos suggest McGraw was something less than a grave danger to cyberspace, FBI agents took his antics seriously when they learned he’d installed a backdoor in the HVAC unit. A failure of the unit could have affected hospital patients in the middle of a hot Texas summer, or caused drugs and other medical supplies to go bad, according to the bureau.

McGraw’s sentencing in the hospital case is set for September 16 in Dallas.

Updated 7/9/10 at 17:05 EDT with comments from Nicholson; 7/12/10 at 12:00 to fix spelling of Electronik (thanks Fixer).